Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.687.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) up####.app.2####.com:80
- TCP(HTTP/1.1) lian####.dftou####.com:80
- TCP(HTTP/1.1) sdknati####.dftou####.com:80
- TCP(HTTP/1.1) sdk-col####.dftou####.com:80
- TCP(HTTP/1.1) b####.2####.com:80
- TCP(HTTP/1.1) t####.dftou####.com:80
- TCP(HTTP/1.1) sh####.2####.cn:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) 02.img####.eas####.####.com:80
- TCP(HTTP/1.1) sdk-new####.dftou####.com:80
- TCP(HTTP/1.1) down####.app.2####.com:80
- TCP(HTTP/1.1) sdk-ac####.dftou####.com:80
- TCP(HTTP/1.1) sdk-ser####.dftou####.com:80
- TCP(HTTP/1.1) i####.sogo####.com.####.com:80
- TCP(TLS/1.0) wapif####.dftou####.com:443
- TCP(TLS/1.0) e####.b####.com:443
- TCP(TLS/1.0) repor####.dftou####.com:443
- TCP(TLS/1.0) i####.km.com.####.com:443
- TCP(TLS/1.0) c####.baidust####.com:443
- TCP(TLS/1.0) t####.eas####.com:443
- TCP(TLS/1.0) wn.pos.b####.com:443
- TCP(TLS/1.0) i.k####.com:443
- TCP(TLS/1.0) tou####.eas####.com:443
- TCP(TLS/1.0) softwor####.dftou####.com:443
- TCP(TLS/1.0) ub####.baidust####.com:443
- TCP(TLS/1.0) yu####.3g.qq.com:443
- TCP(TLS/1.0) b####.2####.com:443
- TCP(TLS/1.0) www.a.sh####.com:443
- TCP(TLS/1.0) image####.b####.com:443
- TCP(TLS/1.0) d####.eas####.com:443
- TCP(TLS/1.0) wapac####.dftou####.com:443
- TCP(TLS/1.0) 02.img####.eas####.####.com:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) cm.b####.com:443
- TCP(TLS/1.0) si####.jom####.com:443
Запросы DNS:
- 0####.s####.com
- 00.img####.eas####.com
- 01.img####.eas####.com
- 02.img####.eas####.com
- 03.img####.eas####.com
- 04.img####.eas####.com
- 05.img####.eas####.com
- 06.img####.eas####.com
- 08.img####.eas####.com
- 09.img####.eas####.com
- 22.146.205.####.arpa
- a####.u####.com
- app.50####.org
- b####.2####.com
- b####.km.com
- c####.baidust####.com
- c####.baidust####.com
- cm.b####.com
- d####.eas####.com
- down####.app.2####.com
- e####.b####.com
- f10.b####.com
- f11.b####.com
- f12.b####.com
- hm.b####.com
- i####.3g.qq.com
- i####.km.com
- i####.km.com
- i####.km.com
- i####.km.com
- i####.km.com
- i####.km.com
- i####.sogo####.com
- i####.sogo####.com
- i.k####.com
- image####.b####.com
- imgsre####.dftou####.com
- lian####.dftou####.com
- m####.eas####.com
- m####.km.com
- pos.b####.com
- repor####.dftou####.com
- sdk-ac####.dftou####.com
- sdk-col####.dftou####.com
- sdk-new####.dftou####.com
- sdk-ser####.dftou####.com
- sdknati####.dftou####.com
- sh####.2####.cn
- sh####.2####.com
- softwor####.dftou####.com
- sp0.b####.com
- t####.dftou####.com
- t####.eas####.com
- t10.b####.com
- t11.b####.com
- t12.b####.com
- tou####.eas####.com
- u####.3g.qq.com
- ub####.baidust####.com
- up####.app.2####.com
- wapac####.dftou####.com
- wapif####.dftou####.com
- wn.pos.b####.com
- yu####.3g.qq.com
Запросы HTTP GET:
- 02.img####.eas####.####.com/mobile/20180206/20180205_15c56377396e16761bc...
- 02.img####.eas####.####.com/mobile/20180206/20180205_170c8e767611246ed32...
- 02.img####.eas####.####.com/mobile/20180206/20180205_184cc0aca2ecc14792b...
- 02.img####.eas####.####.com/mobile/20180207/20180207_8b4457b4b80c098eba1...
- 02.img####.eas####.####.com/mobile/20180207/20180207_aae0650557e1282078a...
- 02.img####.eas####.####.com/mobile/20180207/20180207_c21a8c98efe1f985b44...
- 02.img####.eas####.####.com/mobile/20180208/20180208214811_7ee301f85dd6f...
- 02.img####.eas####.####.com/mobile/20180208/20180208_1b627056206a444aba2...
- 02.img####.eas####.####.com/mobile/20180208/20180208_64aa7fbf637d0baf7f6...
- 02.img####.eas####.####.com/mobile/20180208/20180208_dcdf237f25d1cd33f6e...
- 02.img####.eas####.####.com/mobile/20180209/20180209025327_29c51c804deee...
- 02.img####.eas####.####.com/mobile/20180209/20180209070500_39e95c03913a4...
- 02.img####.eas####.####.com/video/vgaoxiao/20180208/20180208184550217424...
- b####.2####.com/?android####
- b####.2####.com/m/?android####
- down####.app.2####.com/lord/jlittle/262000/CryptLordHeart_jlittle.jar?26...
- i####.sogo####.com.####.com/app/a/200630/28938d9f20cbf6c32c771659e1f422b0
- i####.sogo####.com.####.com/app/a/200630/492afec9758bda3eff3fb23604168a08
- i####.sogo####.com.####.com/app/a/200630/608854e7940292c6f29ef9d1fca05fce
- sh####.2####.cn/api/getProductInfo.php?act=####
- sh####.2####.cn/api/getStatisticListNew.php?promotion_method=####
Запросы HTTP POST:
- a####.u####.com/app_logs
- lian####.dftou####.com/union/com.union.internalinterface.allianceadverti...
- sdk-ac####.dftou####.com/actlog_sdk/data
- sdk-ac####.dftou####.com/actlog_sdk/install
- sdk-ac####.dftou####.com/actlog_sdk/open
- sdk-col####.dftou####.com/columns_sdk/news
- sdk-new####.dftou####.com/newsapi_sdk/newspool
- sdk-ser####.dftou####.com/cloudcontrol/cloudcontrol
- sdk-ser####.dftou####.com/serverts/getserverts
- sdknati####.dftou####.com/admethod/appad
- sdknati####.dftou####.com/union/api
- sh####.2####.cn/api/apiForAndroidAdConf.php
- t####.dftou####.com/getkey/key
- up####.app.2####.com/index.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/f_00001f
- <Package Folder>/cache/####/f_000020
- <Package Folder>/cache/####/f_000021
- <Package Folder>/cache/####/f_000022
- <Package Folder>/cache/####/f_000023
- <Package Folder>/cache/####/f_000024
- <Package Folder>/cache/####/f_000025
- <Package Folder>/cache/####/f_000026
- <Package Folder>/cache/####/f_000027
- <Package Folder>/cache/####/f_000028
- <Package Folder>/cache/####/f_000029
- <Package Folder>/cache/####/f_00002a
- <Package Folder>/cache/####/f_00002b
- <Package Folder>/cache/####/f_00002c
- <Package Folder>/cache/####/f_00002d
- <Package Folder>/cache/####/index
- <Package Folder>/databases/HalleyAction_100__beacon.db-journal
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/dfttsdk-db-journal
- <Package Folder>/databases/halley_schedule_100__HttpSchedulerCl...ournal
- <Package Folder>/databases/halley_schedule_100__HttpSchedulerHa...ournal
- <Package Folder>/databases/okhttputils_cache.db
- <Package Folder>/databases/okhttputils_cache.db-journal
- <Package Folder>/databases/sdk_usbhelper.db
- <Package Folder>/databases/sdk_usbhelper.db-journal
- <Package Folder>/databases/tj2345.db
- <Package Folder>/databases/tj2345.db-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/.imprint
- <Package Folder>/files/CryptLordHeart.jar
- <Package Folder>/files/exid.dat
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/HalleyServicePreferences_100_.xml
- <Package Folder>/shared_prefs/LocationSDK.xml
- <Package Folder>/shared_prefs/cc_c_t_m_l_txsdk.xml
- <Package Folder>/shared_prefs/gxcoreframework_app_setting.xml
- <Package Folder>/shared_prefs/gxcoreframework_app_setting.xml (deleted)
- <Package Folder>/shared_prefs/gxcoreframework_cache_data_news_list.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/tongji2345.xml
- <Package Folder>/shared_prefs/tongji2345_app_use.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/xml/sdk_app_used_data.xml
- <Package Folder>/xml/sdk_config_data.xml
- <Package Folder>/xml/sdk_crc32_data.xml
- <Package Folder>/xml/sdk_device_data.xml
- <Package Folder>/xml/sdk_sdk_data.xml
- <Package Folder>/xml/sdk_server_path_list.xml
- <Package Folder>/xml/sdk_server_watch_list.xml
- <Package Folder>/xml/sdk_upgrade_data.xml
- <Package Folder>/xml/sdk_watch_list.xml
- <SD-Card>/.CryptLord/####/sdk_app_used_data.xml
- <SD-Card>/.CryptLord/####/sdk_config_data.xml
- <SD-Card>/.CryptLord/####/sdk_crc32_data.xml
- <SD-Card>/.CryptLord/####/sdk_device_data.xml
- <SD-Card>/.CryptLord/####/sdk_sdk_data.xml
- <SD-Card>/.CryptLord/####/sdk_server_path_list.xml
- <SD-Card>/.CryptLord/####/sdk_server_watch_list.xml
- <SD-Card>/.CryptLord/####/sdk_upgrade_data.xml
- <SD-Card>/.CryptLord/####/sdk_usbhelper.db
- <SD-Card>/.CryptLord/####/sdk_usbhelper.db-journal
- <SD-Card>/.CryptLord/####/sdk_watch_list.xml
- <SD-Card>/.CryptLord/CryptLordHeart.jar
- <SD-Card>/.system_uuid
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/CryptLordHeart_jlittle.jar
- <SD-Card>/dftt_sdk_2345/####/-1028852767.tmp
- <SD-Card>/dftt_sdk_2345/####/-1092730603.tmp
- <SD-Card>/dftt_sdk_2345/####/-1174881085.tmp
- <SD-Card>/dftt_sdk_2345/####/-1227321187.tmp
- <SD-Card>/dftt_sdk_2345/####/-1514541633.tmp
- <SD-Card>/dftt_sdk_2345/####/-1628623906.tmp
- <SD-Card>/dftt_sdk_2345/####/-1822918535.tmp
- <SD-Card>/dftt_sdk_2345/####/-2009810415.tmp
- <SD-Card>/dftt_sdk_2345/####/-2042616014.tmp
- <SD-Card>/dftt_sdk_2345/####/-405254686.tmp
- <SD-Card>/dftt_sdk_2345/####/-476830829.tmp
- <SD-Card>/dftt_sdk_2345/####/-885765975.tmp
- <SD-Card>/dftt_sdk_2345/####/-90795236.tmp
- <SD-Card>/dftt_sdk_2345/####/14097a26c687be49926e4fc69d52c806.html
- <SD-Card>/dftt_sdk_2345/####/1413257678.tmp
- <SD-Card>/dftt_sdk_2345/####/1878520357.tmp
- <SD-Card>/dftt_sdk_2345/####/2128160927.tmp
- <SD-Card>/dftt_sdk_2345/####/282722250.tmp
- <SD-Card>/dftt_sdk_2345/####/324502983.tmp
- <SD-Card>/dftt_sdk_2345/####/407e5119df0781ed21e6526e90048edc.html
- <SD-Card>/dftt_sdk_2345/####/439217185.tmp
- <SD-Card>/dftt_sdk_2345/####/439629408.tmp
- <SD-Card>/dftt_sdk_2345/####/635b5c3c88a62da6d986890e9e343f98.html
- <SD-Card>/dftt_sdk_2345/####/70e777824ff7756076d5fb207d78d072.html
- <SD-Card>/dftt_sdk_2345/####/7e5db3d9f656323ca137fca6aa69ef41.html
- <SD-Card>/dftt_sdk_2345/####/8bccb99284ca9c05695993b68bb2cf52.html
- <SD-Card>/dftt_sdk_2345/####/940140577.tmp
- <SD-Card>/dftt_sdk_2345/####/a0b929d24d19875b8fde872c65970a2d.html
Другие:
Запускает следующие shell-скрипты:
- app_process /system/bin com.android.commands.pm.Pm list packages
- getprop gsm.denqin.meid
- ping -c 1 -w 5 info.3g.qq.com
- pm list packages
- ps
Загружает динамические библиотеки:
- tencentloc
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
